ClawHub

Video A'Roll Auto Editor v4.7

Security checks across malware telemetry and agentic risk

Overview

This is a local video auto-editing skill whose FFmpeg use, transcription, reports, and cleanup behavior match its stated purpose, with some privacy and path-handling cautions.

Install only if you are comfortable running a local Python media-processing script from this publisher. Use trusted FFmpeg and openai-whisper installs, keep videos in a dedicated folder, use a dedicated disposable work directory, avoid filenames with quotes or newlines, and review or delete generated reports if the videos contain private speech.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"-c:a", "aac", "-b:a", CONFIG['audio_bitrate'],
        output_path
    ]
    ok = subprocess.run(cmd, capture_output=True, text=True).returncode == 0
    if os.path.exists(list_file):
        os.remove(list_file)
    return ok
Confidence
80% confidence
Finding
ok = subprocess.run(cmd, capture_output=True, text=True).returncode == 0

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that batch mode will automatically clean intermediate files, but it does not clearly warn users about deletion behavior, scope, or overwrite risk in the working/output directories. In a tool that processes user-supplied paths and produces temporary artifacts, unclear documentation about automatic cleanup can lead to unintended data loss, especially if users point the work directory at an existing folder with valuable files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that batch mode cleans intermediate files, but it does not clearly warn users what will be deleted, where those files reside, or whether user-supplied working directories may be affected. In a media-processing tool that accepts folder paths and an optional work directory, unclear deletion behavior can lead to unintended data loss if users point the tool at important locations or misunderstand what counts as an intermediate file.

Ssd 3

Medium
Confidence
93% confidence
Finding
The generated per-video report stores full transcripts from processed media, which may contain sensitive spoken information such as personal, financial, or confidential content. Because reports are written to disk by default without redaction, access controls, or user consent, this expands the exposure surface beyond the original media files and can create unintended data leakage.

Ssd 3

Medium
Confidence
94% confidence
Finding
The batch report aggregates transcript summaries across multiple videos into a single output file, concentrating potentially sensitive speech data in one place. This increases privacy risk because a single report disclosure reveals content from many processed recordings, and the skill context involves user-supplied media that may reasonably include private conversations.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal